Can I mix authentication and authorities providers in the same app/context?
Hello,
I have a requirement for an application I'm building at the office.
We are using Spring MVC 3.1/Tomcat6
I've got my basic framework up and running properly, but I'm having an issue with authentication and authorities.
Basically, what I want to do is:
1) Login/Authenticate via LDAP
2) Define a jdbc-user-service that will use one our database for authorities
I've gotten to the point where #1 is working properly, but I can't figure out how to make Spring Security check the user-service outside of LDAP for authorities. In the log4j DEBUG level-logging, I don't see anything that implies it's looking at my jdbc-based authorities.
Here is my (current) security config:
Code:<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <security:jdbc-user-service id="userService" data-source-ref="billingDataSource" authorities-by-username-query=" SELECT clp.login LOGIN_NM, rights.display_name ROLE_NM FROM ... WHERE ... AND clp.login = ? "/> <!-- Configure an authentication manager spring-security element to provide the authentication management and user search filter --> <security:authentication-manager alias="authenticationManager" > <security:ldap-authentication-provider user-search-filter="(samaccountname={0})"/> <security:authentication-provider user-service-ref="userService" /> </security:authentication-manager> <security:http auto-config="true" use-expressions="true"> <!-- IMPORTANT: Intercept rules are applied top-to-bottom. Order of precedence is CRITICAL --> <security:intercept-url pattern="/home" access="hasRole('Developer Rights')"/> <security:intercept-url pattern="/**" access="isAuthenticated()" /> </security:http> <!-- enable AOP security --> <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" jsr250-annotations="enabled" /> <!-- connect to ldap server to authenticate requests --> <security:ldap-server url="ldap://ldapproxy.domain.com/dc=host,dc=domain" port="389" manager-dn="cn=binder,dc=host,dc=domain" manager-password="${ldap.reader.password}"/> </beans>
Some log excerpts.
Code:DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' DEBUG [http-8080-4] (HttpSessionSecurityContextRepository.java:158) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@bf0231c1: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bf0231c1: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@40fe4ef1: Dn: cn=lastname\, firstname R,ou=Users,ou=Digital Corp,dc=blue,dc=host,dc=domain; Username: myuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 2A456EBAB78FADAD14EFFBAC1C677A84; Not granted any authorities' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 4 of 11 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' DEBUG [http-8080-4] (AnonymousAuthenticationFilter.java:107) - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bf0231c1: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@40fe4ef1: Dn: cn=lastname\, firstname R,ou=Users,ou=Digital Corp,dc=blue,dc=host,dc=domain; Username: myuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 2A456EBAB78FADAD14EFFBAC1C677A84; Not granted any authorities' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' DEBUG [http-8080-4] (FilterChainProxy.java:337) - /home at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' DEBUG [http-8080-4] (AntPathRequestMatcher.java:103) - Checking match of request : '/home'; against '/home' DEBUG [http-8080-4] (AbstractSecurityInterceptor.java:194) - Secure object: FilterInvocation: URL: /home; Attributes: [hasRole('Billing Developer Rights')] DEBUG [http-8080-4] (AbstractSecurityInterceptor.java:310) - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bf0231c1: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@40fe4ef1: Dn: cn=lastname\, firstname R,ou=Users,ou=Digital Corp,dc=blue,dc=host,dc=domain; Username: myuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 2A456EBAB78FADAD14EFFBAC1C677A84; Not granted any authorities DEBUG [http-8080-4] (AffirmativeBased.java:65) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6c7d3bc4, returned: -1 DEBUG [http-8080-4] (ExceptionTranslationFilter.java:172) - Access is denied (user is not anonymous); delegating to AccessDeniedHandler org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206) ...etc.
Thanks in advance for any assistance you can provide.
Reply With Quote